CATALYST
Identity and Access Management (IAM) provides an indispensable set of tools that are essential in the continuing battle to maintain control over who and what can gain access to our systems and applications and the important information that they hold.
ANALYSIS
Introduction
Butler Group last published a Report on IAM in June 2006. It had the working title: ‘Laying the Foundations for a Trusted Business Environment’. The role of IAM and the sentiments expressed then remain unchanged, but significantly, in the intervening two years operational requirements and service delivery environments have moved on dramatically.
To keep pace with changing business and operational circumstances the core components of enterprise IAM have had to be appreciably enhanced and the range of facilities provided has had to be significantly extended. Today, the latest IAM product suites are being equipped to deal with new identity and access control demands including:
Web-based applications, Web 2.0, and other Internet-driven groups.
Web services usage and the influence of Service Oriented Architectures (SOA).
Software as a Service (SaaS).
The burgeoning use of virtual operating environments.
The need for fraud-based activity monitoring.
Federated collaboration.
However, before we get too carried away with the range of new Web-facing facilities and services that are being added to the platform-based toolkits of the industries’ leading IAM providers, it is important to recognise the range of core business protection and continuity services that IAM already delivers. Essentially, the role of IAM is to provide an acceptable balance between the need for corporate privacy and protection and the demands of the user community for open, uninhibited information access. This imperative of protection versus the demand for availability is something that each organisation must scope out to fit its own specific risk profile and one that needs to be deliverable using core IAM technology. Organisations remain responsible for all of the information that they gather in and choose to hold. In Butler Group’s opinion they need to be fully accountable for the upkeep and protection of that information and, where they decide to make it available to authorised users, they also remain accountable for the activities that are carried out on their behalf by employees and third-party business partners.
Extending access to corporate systems and the information that they hold, to an ever-growing range of business users adds significant risk to everyday operations, as does the need for external collaboration with third-party business associates and supply-chain partners.
Business Issues
Across most sectors of business, IT-driven systems, applications, and services are of increasing value to the way that businesses operate, and having such facilities compromised to even a minor extent can severely impact business efficiency. Many organisations – and this cuts across all business sectors – use Web-driven technology to improve the efficiency of their operations and to maximise their revenue streams through the increased exposure and availability of their services via all available channels. All of this is wholly appropriate as long as
the correct security and access controls are maintained and a suitable riskbased balance between corporate protection and ease of systems access for all authorised users can be achieved.
Broadening access to business functions has the potential to provide competitive advantage. However, taking into account the increased risk factors, it is extremely important to ensure that the requisite forms of protection are built-in to prevent unintended parties gaining unwanted entry. Consequently, Butler Group firmly believes that the identity-based protection of functionality and the security of identity itself are critical business capabilities. The business necessity to adequately protect corporate systems, the information that they hold, and the rights of individual users, extends beyond the headline-making issues of data theft and vulnerability to external attack. Well-implemented IAM processes can offer strong protection without compromising business value, especially when dealing with common usage requirements such as provisioning new starters with access rights or servicing updated role requirements, password changes, and the ultimate removal of expired accounts.
For many people IAM also facilitates their use of IT in their personal as well working lives. Therefore, in targeting flexibility and ease of access, identity management must fit in with the roles and habits people bring to their everyday use of technology. That said, flexibility must be controllable in order to ensure that external and internal, regulatory mandates and corporate policies are achievable and can be adhered to. The effective and open availability of core information systems is accepted as a key driver of business efficiency, but delivering that same open availability comes with a number of important caveats. Not least amongst these is the need to ensure that a clear duty of care is maintained when it comes to establishing effective controls over how information is accessed and then used. Because of the availability of a vast range of systems and information access channels – remote, local, wired, wireless, Web, etc. – information users have become notoriously difficult to control. Resulting from this the business community has to recognise that there is no one-size-fits-all answer to managing user authentication and systems access. As such, the selected authentication methods that are deemed to be appropriate must match up with specific user roles, the sensitivity of the information
that is being made available, and usage rights once access has been granted. Clearly the core identity management, access control, administration, and reporting services that a fully
functioning IAM suite is capable of delivering, and the protection and operability services that it provides, need to be focused towards the requirements of the business. This, Butler Group sees as an important issue especially as the IAM market is moving more towards the delivery of user- and business-specific protection solutions in terms of how users are managed, the use of controls over their access rights, and the monitoring and reporting of their activities.
Technology Issues
The core business demand for identity management and access control facilities that fulfil everyday business requirements has not changed. In fact, due to the growing range of systems and communications channels that are being made available to industry, the reliance on IAM technology has grown significantly. Indeed C-level executive feedback that Butler Group has received from a number of leading CIOs and CSOs confirms that IAM continues to be placed high on their respective security agendas.
Technology issues such as the need for better identity-based authentication controls, improved Single Sign-On (SSO) capabilities, requirements for fully aligned provisioning and reporting services, and the need to manage people, and risk, more professionally are just a few of the issues that have been raised during recent discussions. Also, the fact that the provision of secure, goodquality access control continues to be the number one IAM business security requirement was a commonly represented response. Going forward, leading business users are looking to extend the use of federated IAM services in order to improve the collaborative efficiency of intercompany transactions. However, on the down side, the opinion was commonly
expressed that the existing generation of IAM solutions could be improved upon and, given the correct set of circumstances, many CIOs would take the opportunity for wholesale product replacement. That notwithstanding, the existing range of mainstream IAM solutions that are available to the market today are more comprehensive than their predecessors and have extended their protection services to support the use of Web and other remote access channels, thereby significantly expanding the responsibilities of the technology beyond corporate boundaries. Along similar lines, the need to facilitate inter-company relationships through the use of federated IAM facilities is also beginning to change the way that available solutions are being used.
The technology strategies for most IAM vendor solutions now include an ability to fully support Web-based operations. Such operations are increasingly seen as fundamental to the management of access rights for external users and third-party employees. The growing interest in SOA, as it evolves as a means of promoting technology reuse without the need to tear down existing infrastructure, is already beginning to have an impact on the security sector in general. Its protection requirements are also particularly relevant to the IAM sector because of the need to check identity dynamically within SOA environments, and because standardsbased message types and associated identity-based authorities need to be controlled at this level.
Also, with a significant portion of current licensed software markets likely to take up the opportunity to migrate towards the service-based facilities of SaaS and the use of secure Web services, IAM vendors are broadening their offerings to include the ability to protect services-based environments. Irrespective of the particular mode of service that is being offered, the need to continuously secure usage requests and information sources when outside the organisation and to ensure that privacy and integrity remain intact are the main IAM service delivery issues. Essentially, the requirement is to ensure that levels of services protection can be aligned and integrated with existing protection requirements and operational policies.
Other additional areas that are being addressed within IAM for the first time include protection for Web 2.0 usage. This is because, without the identity-based controls that are available from IAM enforcement, new opportunities for information and systems misuse will undoubtedly open up. Fraud monitoring and reporting capabilities are also being introduced across a number of leading IAM solutions which are now adding further levels of user and business-usage protection. Finally, the functional capabilities of Data Loss Prevention (DLP) are considerably improved when the technology is deployed alongside an operationally secure IAM solution – making it easier to identify users that are failing to comply with corporate information usage policies.
Market Issues
The IAM sector has undergone extensive change over the last five years. Over that period solutions from companies such as Baltimore Technologies, Encentuate, Netegrity, Oblix, and Protocom have been acquired by larger enterprise vendors, whilst significant players such as Hewlett Packard have chosen to exit the market, and even doyens of the industry such as RSA now exist as the security divisions of larger software companies (in this particular case EMC). The pressure to offer an ever broadening range of capabilities has already led to a small number of vendor withdrawals from the IAM market, and we suspect that other existing IAM providers are currently considering their positions. That being the case, vendor consolidation is becoming a major change factor and Butler Group recommends that organisations, as current or potential customers of the IAM sector, should make themselves fully aware of the future market
strategies of their potential suppliers.
For the remaining vendors – many of whom have given the IAM sector a predominantly enterprise slant – a combination of business and societal environment factors, well thought-out
product development, and substantial investment in acquisitions means that IAM has broad appeal across most vertical sectors.
Butler Group sees this alignment with business needs to be proof of the value of IAM, which is now in evidence across a greater span of industry than many mainstream technology solutions. Identity-based security has become recognised as a foundation for formalised service management, with its automated capabilities increasingly favoured by organisations needing to make savings in the cost of supporting IT systems. Finally, in Butler Group’s opinion, user identity and its successful management across the enterprise is so central to the general systems-access requirements of most individuals and organisations that there is already a massive potential for value to be gained by businesses and society as a whole. Enterprises have long been ready to take the large step forward that would see closer customer relationships being driven by the use of identity. Going forward, as online identity services develop further, we expect that diversity will become less of a problem due to the improved use of standards, but on the other hand, as with most mature technology markets, it is likely that further vendor consolidation will result in reduced product choice.
Butler Group Market Lifecycle Positions
Butler Group’s Vendor Ranking and Assessment Model groups suppliers into Shortlist, Consider, and Explore categories, and shows the predicted progress through the three major phases of Early Adopter, Market Adoption – where the IAM sector currently resides – and Market Maturity. Within each individual grouping vendors are listed alphabetically.
Product Performance Table
The following Product Performance Table provides Butler Group’s summary of the analysis and market positioning of each vendor’s current solution, taking into account all research and how well we feel that each vendor addresses the market.
[Studien Infos ausblenden]
